Versions Compared

Old Version 15

changes.mady.by.user Paul McClendon

Saved on

compared with

New Version Current

changes.mady.by.user Vincent Bastos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Overview

opCharts 3 introduces a new authorization system for MSP's which runs in parallel to the original system, so there are 2 modes running in parallel.  Administration of the new "portal" system can only be done by a user with opCharts admin access from the original authorization system.

...

To assign privileges to a role, navigate to a resource list, Views-> (charts/maps/business services), select a specific resource checkbox from the grid and click the permissions button located in the light blue box with a key icon on it.  A modal will appear listing the current permissions, press "+" in the top left corner, select the desired role and action and save.

Image RemovedImage Added

NMIS Groups

Once a Role is created you can assign NMIS Groups to that role. This enables the Nodes view in opCharts and allows the Role to view devices within that group. Once a Group is assigned to a Role the user will see the Nodes view as the default Dashboard when logging into opCharts.

Image RemovedImage Added

Users

Users are given privileges by being assigned to a role.  When the user logs in, they will be directed to a page showing resources they have access to.  The Views GUI menu will show links to other resources they also have access to.

...

Note: If in opCommon.nmis an external auth_method such as an LDAP server has been provisioned we may not set a user password. 


Resources (charts/maps/business services)

...

ResourcePath
Charts/root/opcharts/chart/<chart_name>
Maps/root/opcharts/map/<map_name>
Business Services/root/opcharts/business_service/<business_service_name>
Dashboards/root/opcharts/dashboard/<dashboard_name>

...


CLI Interface (oprbac_admin.pl)

...

Code Block
Usage: oprbac_admin.pl act=[action to take] [extras...]

oprbac_admin.pl act=list-{users|roles|privs|objects} [verbose=0]
verbose: include data beyond name and description

oprbac_admin.pl act=export-{user|role|priv|object} {name=...|path=...} [file=path]
file: save JSON to file, otherwise printed to STDOUT.

oprbac_admin.pl act=delete-{user|role|priv|object} {name=...|path=...} 
deletes the indicated record.

oprbac_admin.pl act={create|update}-{user|role|priv|object} [name=...] [description=...] [property.zyxxyz=...] [file=path]
file: read JSON from file and update record with that data.
property: each property value can be a deeper structure encoded in JSON, set to 'undef' if property no longer wanted

oprbac_admin.pl act=update-user {name=...} [roles|privileges][=|+=|-=]name[,...]
oprbac_admin.pl act=update-role {name=...} privileges[=|+=|-=]name[,...]
= replaces, += adds and -= removes the named roles or privileges. comma-separated lists of names are supported.

oprbac_admin.pl act=check-access user=userX action=actionY object=pathZ 
 [verbose=0]
returns 1 if the user is authorized to perform the given action.

oprbac_admin.pl act=prune-orphans
removes unused orphaned privilege entries.

...

  1. Create a privilege, this could be auto-created for us when doing other actions but then we would have to look up the name or id created by parsing output.  I’ve named it ‘group_branches_read’ because I intend for it to represent the ability to read the branches group, it can be named whatever you want (as long as it is unique).

  2. Create an object that represents the group by giving the correct path (with the group name), and tell that object that read permissions are granted using the privilege name from step #1.  

  3. Create a new role, and give the role our privilege.

     


    Code Block
    nmis64:bin root$ ./oprbac_admin.pl act=create-priv name=group_branches_read
created new privilege (internal id 582ba442a77ea70da3448f11)
nmis64:bin root$ ./oprbac_admin.pl act=create-object path=root,opcharts,group,Branches read_privileges=group_branches_read
created new object
nmis64:bin root$ ./oprbac_admin.pl act=create-role name=BranchesRole privileges=group_branches_read
created new role (internal id 582ba4c9a77ea70dcf4c2ea1)


In the GUI you should now see that group “Branches” has a new role listed with read permissions. The privilege “group_branches_read” could be used to access to other objects as well.

The oprbac_admin actions exist for update as well .pl also allows updates so if the role in question already exists and you want to add a new privilege just use use act=update-role and either set or add the new privilege (with privileges=<newpriv> or privileges+=<newpriv>, respectively).

Add or edit Role properties (opCharts 3.0.7 and later)

...